Possible httpd server attack, may need to harden ISPCONFIG or apache

I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

ISPConfig Version: 3.0.2.2

What happens is one of two things.

Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

The result is:

A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.